From b7f2cbe2bdeb4a8fb5bd44b43378fb711ed6c490 Mon Sep 17 00:00:00 2001
From: Jason Parraga <sovietaced@gmail.com>
Date: Wed, 26 Feb 2025 21:27:21 -0800
Subject: [PATCH] Not sure what to do about pflags

Signed-off-by: Jason Parraga <sovietaced@gmail.com>
---
 charts/flyte-core/README.md                   |  5 +--
 charts/flyte-core/values.yaml                 | 25 +++++++++++++
 .../flyte_aws_scheduler_helm_generated.yaml   | 24 ++++++++++++-
 .../flyte_helm_controlplane_generated.yaml    | 26 ++++++++++++--
 deployment/eks/flyte_helm_generated.yaml      | 26 ++++++++++++--
 .../flyte_helm_controlplane_generated.yaml    | 26 ++++++++++++--
 deployment/gcp/flyte_helm_generated.yaml      | 26 ++++++++++++--
 deployment/sandbox/flyte_helm_generated.yaml  | 26 ++++++++++++--
 .../manifests/complete-agent.yaml             |  4 +--
 .../sandbox-bundled/manifests/complete.yaml   |  4 +--
 docker/sandbox-bundled/manifests/dev.yaml     |  4 +--
 flyteadmin/auth/config/config_flags.go        | 12 +++----
 flyteadmin/auth/config/config_flags_test.go   | 36 +++++++++----------
 13 files changed, 201 insertions(+), 43 deletions(-)

diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md
index 9d8c0d3c56..6ff529d416 100644
--- a/charts/flyte-core/README.md
+++ b/charts/flyte-core/README.md
@@ -102,8 +102,9 @@ helm install gateway bitnami/contour -n flyte
 | common.ingress.tls | object | `{"enabled":false}` | - Ingress hostname host: |
 | common.ingress.webpackHMR | bool | `false` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. |
 | configmap.admin | object | `{"admin":{"clientId":"{{ .Values.secrets.adminOauthClientCredentials.clientId }}","clientSecretLocation":"/etc/secrets/client_secret","endpoint":"flyteadmin:81","insecure":true},"event":{"capacity":1000,"rate":500,"type":"admin"}}` | Admin Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig) |
-| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration |
-| configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration |
+| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"rbac":{"bypassMethodPatterns":["/grpc.health.v1.Health/.*","/flyteidl.service.AuthMetadataService/.*"],"enabled":false,"policies":[{"role":"admin","rules":[{"methodPattern":".*","name":"Admin allow all"}]},{"role":"flytesnacks-engineer","rules":[{"domain":"development","methodPattern":".*","name":"Flytesnacks engineer dev write access","project":"flytesnacks"},{"domain":"production","methodPattern":"List.*|Get.*","name":"Flytesnacks engineer prod read access","project":"flytesnacks"}]}],"tokenScopeRoleResolver":{"enabled":true}},"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration |
+| configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"rbac":{"bypassMethodPatterns":["/grpc.health.v1.Health/.*","/flyteidl.service.AuthMetadataService/.*"],"enabled":false,"policies":[{"role":"admin","rules":[{"methodPattern":".*","name":"Admin allow all"}]},{"role":"flytesnacks-engineer","rules":[{"domain":"development","methodPattern":".*","name":"Flytesnacks engineer dev write access","project":"flytesnacks"},{"domain":"production","methodPattern":"List.*|Get.*","name":"Flytesnacks engineer prod read access","project":"flytesnacks"}]}],"tokenScopeRoleResolver":{"enabled":true}},"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration |
+| configmap.adminServer.auth.rbac | object | `{"bypassMethodPatterns":["/grpc.health.v1.Health/.*","/flyteidl.service.AuthMetadataService/.*"],"enabled":false,"policies":[{"role":"admin","rules":[{"methodPattern":".*","name":"Admin allow all"}]},{"role":"flytesnacks-engineer","rules":[{"domain":"development","methodPattern":".*","name":"Flytesnacks engineer dev write access","project":"flytesnacks"},{"domain":"production","methodPattern":"List.*|Get.*","name":"Flytesnacks engineer prod read access","project":"flytesnacks"}]}],"tokenScopeRoleResolver":{"enabled":true}}` | RBAC / Authorization configuration |
 | configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. |
 | configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. |
 | configmap.catalog | object | `{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}}` | Catalog Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/task/catalog#Config) Additional advanced Catalog configuration [here](https://pkg.go.dev/github.com/lyft/flyteplugins/go/tasks/pluginmachinery/catalog#Config) |
diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml
index ee2c03a400..af3f3c8c4f 100755
--- a/charts/flyte-core/values.yaml
+++ b/charts/flyte-core/values.yaml
@@ -766,6 +766,31 @@ configmap:
             - profile
             - openid
           clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com
+      # -- RBAC / Authorization configuration
+      rbac:
+        enabled: false
+        bypassMethodPatterns:
+          - "/grpc.health.v1.Health/.*"
+          - "/flyteidl.service.AuthMetadataService/.*"
+        tokenScopeRoleResolver:
+          enabled: true
+        policies:
+          - role: "admin"
+            rules:
+              - name: "Admin allow all"
+                methodPattern: ".*"
+          - role: "flytesnacks-engineer"
+            rules:
+              - name: "Flytesnacks engineer dev write access"
+                methodPattern: ".*"
+                project: flytesnacks
+                domain: development
+              - name: "Flytesnacks engineer prod read access"
+                methodPattern: "List.*|Get.*"
+                project: flytesnacks
+                domain: production
+
+
 
   # -- Datacatalog server config
   datacatalogServer:
diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml
index de8f85538a..4cf5d92254 100644
--- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml
+++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml
@@ -144,6 +144,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -858,7 +880,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "c943b200cd0bed97fe456c0c713dd79cdc4e22133495cac89db3fc55e9b79c7"
+        configChecksum: "155fefcf10a34c12d481f97e8b8fe2f5c794b81a23a39001f661773cf44de92"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml
index ea8c97c6e3..84f0bd56ce 100644
--- a/deployment/eks/flyte_helm_controlplane_generated.yaml
+++ b/deployment/eks/flyte_helm_controlplane_generated.yaml
@@ -125,6 +125,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -561,7 +583,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "391e8e126d669f751ac1a03de0b45fe7969a0fe58f3dfead9bb7be1b5d951ff"
+        configChecksum: "6dfd34f2ffa25346bfecaa5de1366a20fad2571e1fe7787e302c69a1a627e8c"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -983,7 +1005,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "391e8e126d669f751ac1a03de0b45fe7969a0fe58f3dfead9bb7be1b5d951ff"
+        configChecksum: "6dfd34f2ffa25346bfecaa5de1366a20fad2571e1fe7787e302c69a1a627e8c"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml
index 68526a9589..59aa45d04f 100644
--- a/deployment/eks/flyte_helm_generated.yaml
+++ b/deployment/eks/flyte_helm_generated.yaml
@@ -156,6 +156,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -889,7 +911,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "391e8e126d669f751ac1a03de0b45fe7969a0fe58f3dfead9bb7be1b5d951ff"
+        configChecksum: "6dfd34f2ffa25346bfecaa5de1366a20fad2571e1fe7787e302c69a1a627e8c"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1311,7 +1333,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "391e8e126d669f751ac1a03de0b45fe7969a0fe58f3dfead9bb7be1b5d951ff"
+        configChecksum: "6dfd34f2ffa25346bfecaa5de1366a20fad2571e1fe7787e302c69a1a627e8c"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml
index 3b9d7f39f4..68558e217a 100644
--- a/deployment/gcp/flyte_helm_controlplane_generated.yaml
+++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml
@@ -125,6 +125,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -576,7 +598,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "20a517901c6b6f01f47e968fa15ca51f6d9522e728ecace8b48553eb428cde6"
+        configChecksum: "af09b0696664b8187b3388d48fc57012fd0d5ff6403bda51904f000b5efe904"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -998,7 +1020,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "20a517901c6b6f01f47e968fa15ca51f6d9522e728ecace8b48553eb428cde6"
+        configChecksum: "af09b0696664b8187b3388d48fc57012fd0d5ff6403bda51904f000b5efe904"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml
index cd1ec3f751..4334c279a2 100644
--- a/deployment/gcp/flyte_helm_generated.yaml
+++ b/deployment/gcp/flyte_helm_generated.yaml
@@ -156,6 +156,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -912,7 +934,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "20a517901c6b6f01f47e968fa15ca51f6d9522e728ecace8b48553eb428cde6"
+        configChecksum: "af09b0696664b8187b3388d48fc57012fd0d5ff6403bda51904f000b5efe904"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1334,7 +1356,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "20a517901c6b6f01f47e968fa15ca51f6d9522e728ecace8b48553eb428cde6"
+        configChecksum: "af09b0696664b8187b3388d48fc57012fd0d5ff6403bda51904f000b5efe904"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml
index b37ebb66e7..7e3e18b5c9 100644
--- a/deployment/sandbox/flyte_helm_generated.yaml
+++ b/deployment/sandbox/flyte_helm_generated.yaml
@@ -276,6 +276,28 @@ data:
       - https://localhost:30081
       - http://flyteadmin:80
       - http://flyteadmin.flyte.svc.cluster.local:80
+      rbac:
+        bypassMethodPatterns:
+        - /grpc.health.v1.Health/.*
+        - /flyteidl.service.AuthMetadataService/.*
+        enabled: false
+        policies:
+        - role: admin
+          rules:
+          - methodPattern: .*
+            name: Admin allow all
+        - role: flytesnacks-engineer
+          rules:
+          - domain: development
+            methodPattern: .*
+            name: Flytesnacks engineer dev write access
+            project: flytesnacks
+          - domain: production
+            methodPattern: List.*|Get.*
+            name: Flytesnacks engineer prod read access
+            project: flytesnacks
+        tokenScopeRoleResolver:
+          enabled: true
       userAuth:
         openId:
           baseUrl: https://accounts.google.com
@@ -6696,7 +6718,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "f2d2bbea27b58cc5a73da30eb8aeb56fc41863f4eba2bfe407da2e97a6372e8"
+        configChecksum: "aed279976feb8cc5f4d9baed5fb6f613ddc36756d2c86ff0085856ffcce3ba5"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -7089,7 +7111,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "f2d2bbea27b58cc5a73da30eb8aeb56fc41863f4eba2bfe407da2e97a6372e8"
+        configChecksum: "aed279976feb8cc5f4d9baed5fb6f613ddc36756d2c86ff0085856ffcce3ba5"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
diff --git a/docker/sandbox-bundled/manifests/complete-agent.yaml b/docker/sandbox-bundled/manifests/complete-agent.yaml
index b8fc62d8d1..e5b032b8b8 100644
--- a/docker/sandbox-bundled/manifests/complete-agent.yaml
+++ b/docker/sandbox-bundled/manifests/complete-agent.yaml
@@ -821,7 +821,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: NmdFQmhIcGQ3QUY4anJ4OQ==
+  haSharedSecret: bFgyOTlldkF3bmFqTEhubw==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1418,7 +1418,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: e70b19a9c6f4e7c05fff1fb0b2adc885112a99eab0fc2a893762513e45e1a230
+        checksum/secret: ca5a0367eab28eacc1eb8f4d4d8c0c9cc7f87532bb832198bd92765a51c2fbb5
       labels:
         app: docker-registry
         release: flyte-sandbox
diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml
index a70b4f7acb..85a7c7bea0 100644
--- a/docker/sandbox-bundled/manifests/complete.yaml
+++ b/docker/sandbox-bundled/manifests/complete.yaml
@@ -803,7 +803,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: TG9qSkFYNDBjc3JJakxZYw==
+  haSharedSecret: VFN0czllS0ZURjg5ZjNNag==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1367,7 +1367,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: a6fd0b4e81971aff50f056b2beddcb3b0eb480659bcea29f287a9773123ede6c
+        checksum/secret: fd1e68d273dadaad26f90b7f2a54a13e3eb9e0c88f338eaa629dea52e7d8af83
       labels:
         app: docker-registry
         release: flyte-sandbox
diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml
index 44c04d3a70..06ad89ef84 100644
--- a/docker/sandbox-bundled/manifests/dev.yaml
+++ b/docker/sandbox-bundled/manifests/dev.yaml
@@ -499,7 +499,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  haSharedSecret: Q2dOYmdSM0FNbnJSUE9qcA==
+  haSharedSecret: Q3QzVkxzSnUzU1hmMnAySg==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -934,7 +934,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 2fd78377e09dbed8a7a620d718063e8bb1478d7c233bec3b5ebc32bcc255c0d4
+        checksum/secret: fee3b71f2cfab2c3f3744a8082704a8683711312862377f7b7efb9a13421d25e
       labels:
         app: docker-registry
         release: flyte-sandbox
diff --git a/flyteadmin/auth/config/config_flags.go b/flyteadmin/auth/config/config_flags.go
index 63b37de041..31373c234e 100755
--- a/flyteadmin/auth/config/config_flags.go
+++ b/flyteadmin/auth/config/config_flags.go
@@ -84,11 +84,11 @@ func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet {
 	cmdFlags.String(fmt.Sprintf("%v%v", prefix, "appAuth.thirdPartyConfig.flyteClient.redirectUri"), DefaultConfig.AppAuth.ThirdParty.FlyteClientConfig.RedirectURI, "This is the callback uri registered with the app which handles authorization for a Flyte deployment")
 	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "appAuth.thirdPartyConfig.flyteClient.scopes"), DefaultConfig.AppAuth.ThirdParty.FlyteClientConfig.Scopes, "Recommended scopes for the client to request.")
 	cmdFlags.String(fmt.Sprintf("%v%v", prefix, "appAuth.thirdPartyConfig.flyteClient.audience"), DefaultConfig.AppAuth.ThirdParty.FlyteClientConfig.Audience, "Audience to use when initiating OAuth2 authorization requests.")
-	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbacConfig.enabled"), DefaultConfig.Rbac.Enabled, "Enables RBAC.")
-	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbacConfig.bypassMethodPatterns"), DefaultConfig.Rbac.BypassMethodPatterns, "List of regex patterns to match against method names to bypass RBAC.")
-	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbacConfig.tokenScopeRoleResolver.enabled"), DefaultConfig.Rbac.TokenScopeRoleResolver.Enabled, "Enables token scope based role resolution.")
-	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbacConfig.tokenClaimRoleResolver.enabled"), DefaultConfig.Rbac.TokenClaimRoleResolver.Enabled, "Enables token claim based role resolution.")
-	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbacConfig.tokenClaimRoleResolver.tokenClaims"), DefaultConfig.Rbac.TokenClaimRoleResolver.TokenClaims, "List of claims to use for role resolution.")
-	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbacConfig.policies"), DefaultConfig.Rbac.Policies, "Authorization policies to use for RBAC.")
+	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.enabled"), DefaultConfig.Rbac.Enabled, "Enables RBAC.")
+	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbac.bypassMethodPatterns"), DefaultConfig.Rbac.BypassMethodPatterns, "List of regex patterns to match against method names to bypass RBAC.")
+	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenScopeRoleResolver.enabled"), DefaultConfig.Rbac.TokenScopeRoleResolver.Enabled, "Enables token scope based role resolution.")
+	cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "rbac.tokenClaimRoleResolver.enabled"), DefaultConfig.Rbac.TokenClaimRoleResolver.Enabled, "Enables token claim based role resolution.")
+	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbac.tokenClaimRoleResolver.tokenClaims"), DefaultConfig.Rbac.TokenClaimRoleResolver.TokenClaims, "List of claims to use for role resolution.")
+	cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "rbac.policies"), DefaultConfig.Rbac.Policies, "Authorization policies to use for RBAC.")
 	return cmdFlags
 }
diff --git a/flyteadmin/auth/config/config_flags_test.go b/flyteadmin/auth/config/config_flags_test.go
index 792a89b7fc..55d5a6daea 100755
--- a/flyteadmin/auth/config/config_flags_test.go
+++ b/flyteadmin/auth/config/config_flags_test.go
@@ -575,13 +575,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.enabled", func(t *testing.T) {
+	t.Run("Test_rbac.enabled", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := "1"
 
-			cmdFlags.Set("rbacConfig.enabled", testValue)
-			if vBool, err := cmdFlags.GetBool("rbacConfig.enabled"); err == nil {
+			cmdFlags.Set("rbac.enabled", testValue)
+			if vBool, err := cmdFlags.GetBool("rbac.enabled"); err == nil {
 				testDecodeJson_Config(t, fmt.Sprintf("%v", vBool), &actual.Rbac.Enabled)
 
 			} else {
@@ -589,13 +589,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.bypassMethodPatterns", func(t *testing.T) {
+	t.Run("Test_rbac.bypassMethodPatterns", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := join_Config(DefaultConfig.Rbac.BypassMethodPatterns, ",")
 
-			cmdFlags.Set("rbacConfig.bypassMethodPatterns", testValue)
-			if vStringSlice, err := cmdFlags.GetStringSlice("rbacConfig.bypassMethodPatterns"); err == nil {
+			cmdFlags.Set("rbac.bypassMethodPatterns", testValue)
+			if vStringSlice, err := cmdFlags.GetStringSlice("rbac.bypassMethodPatterns"); err == nil {
 				testDecodeRaw_Config(t, join_Config(vStringSlice, ","), &actual.Rbac.BypassMethodPatterns)
 
 			} else {
@@ -603,13 +603,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.tokenScopeRoleResolver.enabled", func(t *testing.T) {
+	t.Run("Test_rbac.tokenScopeRoleResolver.enabled", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := "1"
 
-			cmdFlags.Set("rbacConfig.tokenScopeRoleResolver.enabled", testValue)
-			if vBool, err := cmdFlags.GetBool("rbacConfig.tokenScopeRoleResolver.enabled"); err == nil {
+			cmdFlags.Set("rbac.tokenScopeRoleResolver.enabled", testValue)
+			if vBool, err := cmdFlags.GetBool("rbac.tokenScopeRoleResolver.enabled"); err == nil {
 				testDecodeJson_Config(t, fmt.Sprintf("%v", vBool), &actual.Rbac.TokenScopeRoleResolver.Enabled)
 
 			} else {
@@ -617,13 +617,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.tokenClaimRoleResolver.enabled", func(t *testing.T) {
+	t.Run("Test_rbac.tokenClaimRoleResolver.enabled", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := "1"
 
-			cmdFlags.Set("rbacConfig.tokenClaimRoleResolver.enabled", testValue)
-			if vBool, err := cmdFlags.GetBool("rbacConfig.tokenClaimRoleResolver.enabled"); err == nil {
+			cmdFlags.Set("rbac.tokenClaimRoleResolver.enabled", testValue)
+			if vBool, err := cmdFlags.GetBool("rbac.tokenClaimRoleResolver.enabled"); err == nil {
 				testDecodeJson_Config(t, fmt.Sprintf("%v", vBool), &actual.Rbac.TokenClaimRoleResolver.Enabled)
 
 			} else {
@@ -631,13 +631,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.tokenClaimRoleResolver.tokenClaims", func(t *testing.T) {
+	t.Run("Test_rbac.tokenClaimRoleResolver.tokenClaims", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := DefaultConfig.Rbac.TokenClaimRoleResolver.TokenClaims
 
-			cmdFlags.Set("rbacConfig.tokenClaimRoleResolver.tokenClaims", testValue)
-			if vStringSlice, err := cmdFlags.GetStringSlice("rbacConfig.tokenClaimRoleResolver.tokenClaims"); err == nil {
+			cmdFlags.Set("rbac.tokenClaimRoleResolver.tokenClaims", testValue)
+			if vStringSlice, err := cmdFlags.GetStringSlice("rbac.tokenClaimRoleResolver.tokenClaims"); err == nil {
 				testDecodeRaw_Config(t, vStringSlice, &actual.Rbac.TokenClaimRoleResolver.TokenClaims)
 
 			} else {
@@ -645,13 +645,13 @@ func TestConfig_SetFlags(t *testing.T) {
 			}
 		})
 	})
-	t.Run("Test_rbacConfig.policies", func(t *testing.T) {
+	t.Run("Test_rbac.policies", func(t *testing.T) {
 
 		t.Run("Override", func(t *testing.T) {
 			testValue := DefaultConfig.Rbac.Policies
 
-			cmdFlags.Set("rbacConfig.policies", testValue)
-			if vStringSlice, err := cmdFlags.GetStringSlice("rbacConfig.policies"); err == nil {
+			cmdFlags.Set("rbac.policies", testValue)
+			if vStringSlice, err := cmdFlags.GetStringSlice("rbac.policies"); err == nil {
 				testDecodeRaw_Config(t, vStringSlice, &actual.Rbac.Policies)
 
 			} else {